Bug Bounty Hunting, it’s pros and cons



  1. What is bug bounty?
  2. Why bug bounty programs are held?
  3. How can one earn money by bug bounty hunting?
  4. What is the scope of bug bounty hunting?
  5. What are the pre requisite to become a successful bug bounty hunter?
  6. Sites that host bug bounty programs.
  7. Some best sources to start career bug bounty hunting.
  8. Pros and Cons of bug bounty hunting.

  1. What is bug bounty hunting?
Bug bounty programs are a col-lab of companies and white-hat hackers to work    together exposing security vulnerabilities and bugs in a company’s technology. Most importantly, the companies executing bug bounty programs can set ground rules and limitations of how they want hackers to test their site, how far they can go breaking their website and what kind of compensation hackers can expect to receive for reporting vulnerabilities.
  1. Why bug bounty programs are held?
Developers at companies develops the code but sometimes some mistakes or flows are made and left unseen. Mistake can be as small as “;” or as large as a flow that can lead to main domain takeover. The security teams in companies hardly have time to find each and every bug and sometimes because of lacking man power security teams are impuissant. So these security teams reach out to private contractors for help in return offering bounty.
  1. How can one earn money by bug bounty hunting?
Bug bounty hunters are paid cold or hard cash to find bugs in the web application, software and websites. Depending on the impact of the vulnerability, the bug bounty hunter is rewarded. The reward can vary from a stunning t-shirt to thousands of dollars per bug again depends on how badly your vulnerability affects the testing asset. One can make thousands of dollars a year in addition to day job finding bugs and writing reports on them or one can do freelancing and make it full time career.
  1. What is the scope of bug bounty hunting?
A survey of 1,700 bug bounty hunters from more than 195 countries and territories by security biz HackerOne, augmented by the company’s data on 900 bug bounty programs, has found that white-hat hackers earn a median salary that’s 2.7 times that of typical software engineers in their home countries.
In some places, the gap is far more pronounced. In India, for example, hackers make as    much as 16 times the median programmer salary. In the US, they earn 2.4 times the median.
HackerOne bases its salary figures on data from PayScale. For India, the median annual   software engineer salary is $6,418. For the US, it’s $81,193.
(reference https://www.theregister.co.uk/2018/01/17/bug_bounties_pay/)
5. What are the pre requisites to become a successful bug bounty hunter?
(a) . Read tons:- Read , read and repeat. It is a very vast field, and requires a deep knowledge of concepts to find a major bug. It is merely a combination of both knowledge and observation and sometimes even luck. You should be able to recognise what a vulnerability is and how can you exploit it. There are many blogs which keeps you updated with latest information related to infosec field. Go to famous sites like hackerone, go through profiles of top bug bounty hunters one by one, follow them on twitter as their accounts are listed in their profiles. Sometimes top bug bounty hunters disclose their reports on their twitter accounts , that can be of tremendous benefit as          it’ll tell you how they approached to find that bug. Alot of books are there that can make you master of bug bounty hunting if you rifle through each and every line.

 (b). Keep learning:- You must always try to learn new concepts, tools and This can be very beneficial for you making your work easier. Many times some new tools comes into the market targeted to find a specific type of bug and can pay you some adequate amount of money if used in bug finding.

 (c). Languages you should learn:- You should have some prior knowledge of languages like html, css, java script. You should also know some scripting languages like python, ruby and bash. These languages will help in automation that makes work alot easier.It is recommended to learn some basic concepts of networking, how Http API’s and protocols work. You should learn to build applications on python(django framework) or ruby (rails framework) so that you get an idea of how apps work and where can a flow in the application can be present.
(d). Give it a shot:- You should think out of the box , the major bugs take time and out of the box thinking . It is more valuable that you find a bug that paid you $1000 rather than 5 bugs that paid you $200. If you find a small bug, try to dig deeper combining other factor that can make it’s impact greater.

(e). Keep calm and expect nothing :- Keep your emotions in control , sometimes company can pay you more than expected for a small bug , then you should also be prepared if company sent you a plain t-shirt for a major bug. It comprises of surprises, don’t you think XD.
  1. Sites that hosts bug bounty program:

  1. Hackerone
  2. Bugcrowd
  3. Vulnerability lab
  4. Fire bounty

  1. Some best sources to start career bug bounty hunting:
Best Books:-
# web-hacking-101
# The-Web-Application-Hackers-Handbook
# OWASP Testing guide v4
# Penetration testing
# The-Hacker-Playbook-Practical-Penetration
# Mobile-Application-Hackers-Handbook
# iOS Application Security
  1. Pros and cons of bug bounty hunting:-
Here comes the most important part of this blog, the points you should keep in mind if      you are thing of making bug bounty hunting as a career:-
Pros and cons:-
  1. a) By the view of company hosting bug bounty program:-
  • Hosting bug bounty programs attracts both white hat hackers as well as black hat hackers. Both have equal level of benefits and consequences. If a major bug is found by a black hat hacker(cracker), it can lead to breach of confidential data, main or subdomain takeover or even deleting of the entire site.
  • If the budget of the company is fair enough, the company can host and pay for the program for more days and more and more bugs can patched, this also leads to improve the standard and image of the company in the market. In contrast, if the budget of the company is not up to the mark, then this can lead to not paying for the major bugs sometimes, many complaints against company, declining it’s image.
  • Sometimes hackers do contribute in free bug bounty programs and major bugs can be patched but sometimes even for the paid bug bounties hackers disclose the reports of the bugs for fame or sell their knowledge on the black market. This can cause some serious consequences.
  1. b) By the view of bug bounty hunters:-
  • There is no limit how much you can make money using bug bounty or how many bugs you can find. So it can cost you spending a lot of time in exchange of nothing to thousands of bucks and comparably less time. It’s sometimes a matter of luck too.
  • One can do bug bounty as a side career doing their main job and can make it an extra source of income , in contrast full time bug bounty hunters can starve for a long time not being paid some serious bucks.
  • One interact with many target specific and experienced people which can give you motivation and craving to find more bugs. But sometimes you get in touch with black hat hacker with not good intentions, believing that person can make you suffer.
  • Company sometimes pay more than expected for a bug and sometimes just points for a major bug, you must prepared for both.
  • There is a list of bug bounty programs held categorised by platforms they are made on, so if you have expertise in some platform, there are more chances of finding big bugs and you can understand the code better. But not having a knowledge of the platform can cost you a lot of time and no money at all.
  • There is a short list of rules that you ought to follow while testing their website, following these rules properly leads to badge of discipline and their might be a chance you didn’t consider some rules when you testing, and violating these rules can ban you from hunting those sites even if have found critical flow in the code.

Comments